Top 10 Best Practices for
Network Access Control
IT organizations considering implementing a Network Access Control
(NAC) project should think carefully about the objectives of the project,
and the different requirements for managed and unmanaged endpoints.
In our experience—and leading market analysts concur—organizations
can realize significant savings in time, complexity, cost, and end-user
impact of a NAC if they deploy agent-based technologies to automate
device assessment against configuration baselines, remediation, and
enforce configuration baselines when the device is off-network.
The main thing we have discovered is that successful NACs focus on
managing endpoint security baselines every bit as much as deciding
which endpoints to admit or exclude from a network. The visibility and
active baseline management that goes along with this approach also
enables IT departments to set higher standards for network admission.
If you can’t see into endpoints or prescribe and maintain “security dress
codes,” it’s all too easy to take a lowest common denominator approach
to admitting endpoints.

top 10 best practices for network access control

1

BIGFIX

W H ITE PAPER

This concept of active pre-mediation of endpoints is ambitious, but following
some basic best practice principles can smooth the way and help assure
long-term success in implementing combined network access and endpoint
management solutions.

1. Know What You Don’t Know
Many customers are shocked to discover how little they know about assets
on their networks when they implement a NAC solution and first turn it on.
Therefore, one of the key missions of the early stages of a NAC solution
is to quickly and thoroughly identify and inventory all known and unknown
assets and distinguish between well-behaved and ill-behaved endpoints. By
performing triage early and accurately, IT organizations can productively focus
on remediating or quarantining rogue elements and spend less time wondering
if an otherwise benign endpoint has deficiencies that may require attention.

2. Have a Single “System of Truth”
To know what you don’t know, it’s important to have a single, authoritative
source of knowledge on endpoint security configurations. Since device
configurations and status are subject to constant change, knowledge should
be as real-time as possible. Scanning a network once a week, or even
once a day, is insufficient to know what’s really going on or to intercept fastmoving threats.

3. Quarantine is a Last Resort
Every minute an otherwise “good” device spends in quarantine are minutes
that sacrifice productivity, irritate end users and require automated or human
intervention to remediate the device. It is far better to have proactive program
that seeks to keep managed devices in compliance with NAC policies and out
of quarantine. As with many things in life, a ounce of prevention is worth a
pound of cure.

4. Automate Assessment and Remediation
Manual assessment remediation processes are expensive, slow and subject
to human error. Furthermore, attempting to avoid support costs by relying
on end users to manage their own machines distracts them from what
they were really hired to do—accounting, sales, management, research,
etc.—and increases the risk of error and neglect. By contrast, automated
approaches to assessment and remediation are faster, require less human
intervention and also make the NAC process less intrusive on end user work
styles and productivity.

5. Be Transparent to End Users
The less an end user notices that their machine is under NAC management,
the better. Intrusive NACs that interrupt logging on processes, stop machines
to install patches and updates, or generally make themselves known to users

top 10 best practices for network access control

2

BIGFIX

W H ITE PAPER

in inconvenient ways do more than make IT departments unpopular. They
tempt users to circumvent management controls and undermine all the good
work you have done in protecting the enterprise network.

6. Manage Endpoints Anytime, Anywhere
Just because a mobile device logs off an enterprise network and goes roaming
does not mean it is beyond the reach of NAC-oriented security configuration
remediation. Persistent agent-based management technologies can maintain
policies in force on roaming devices, and technologies exist for mobile
systems to “phone home” via the Internet to report status and pick up the
latest patch and configuration policy content.

7. Implement Global, Comprehensive Solutions
It’s the devices that you don’t know about that will hurt you the most. Avoid,
or at least be skeptical about, approaches that have blind spots in terms of
platform coverage (for example, Windows-but-not Unix), issues they address, or
even the timeliness of information they collect about endpoints.

8. Change in Manageable Increments
Taking an “early and often” approach to change management on end user
devices has a number of advantages. It helps maintain policy currency. It
makes NAC management less obtrusive to end users. And it reduces risk that
big, complex, all-at-once changes will have unpredictable effects on system
availability and performance.

9. Leverage Redundant Systems
“What if it fails?” is a question that should be frequently asked in the design
phase of every NAC project. Either building in redundancy or taking advantage
of existing surplus resources to enable fail over or quick service restoration
is a classic way of improving reliability of NAC solutions. Remember also
that breakdowns and service outages not only inconvenience end users,
they create opportunities for the bad guys to do things that would normally
prove difficult.

10. No NAC Stands Alone
It’s a given that a NAC solution will not be an organization’s only security
defense. But as IT security and operations management continue to converge,
the best designed and implemented NACs make it hard to tell where security
management ends and operations management begins. Integrating and
consolidating NAC tools and processes with other management practices
reduces costs, improves security efficacy and increases overall quality
of service.
In final analysis, the specifics of a given NAC technology are no guarantee
that the solution will be successful. As always, it’s the thoughts, actions
and practices that surround a technology that make the difference between
success and failure.

top 10 best practices for network access control

3

W H ITE PAPER

BIGFIX

BigFix: Breakthrough Technology, Revolutionary Economics
Founded in 1997, BigFix®, Inc. is a leading provider of high-performance
enterprise systems and security management solutions that revolutionizes
the way IT organizations manage and secure their computing infrastructures.
Based on a unique architecture that distributes management intelligence
directly to the computing devices themselves, BigFix is radically faster,
scalable, more accurate and adaptive than legacy management software.
From Systems Lifecycle Management, Security & Vulnerability Management
to Endpoint Protection, BigFix solutions automate the most labor-intensive
IT tasks across the most complex global networks saving organizations
significant amounts of time, labor, and expense. BigFIx provides real-time
visibility and control for millions of globally distributed computing devices.
The BigFix customer list counts many of the world’s largest and most prestigious organizations in every industry including financial services, retail,
education, manufacturing, and public sector agencies. More information can
be found at www.bigfix.com